× Startups Business News Education Health Finance Technology Opinion Wealth Rankings Politics Leadership Sport Travels Careers Design Environment Energy Luxury Retail Lifestyle Automotives Photography International Press Release

September 2, 2021


WhatsApp has been fined €225m (£193m) by Ireland's data watchdog for breaching privacy regulations.

It is the largest fine ever from the Irish Data Protection Commission, and the second-highest under EU GDPR  (Global Data Protection Regulation).

Facebook, which owns WhatsApp, has its EU headquarters in Ireland, and the Irish regulator is the lead authority for the tech giant in Europe. WhatsApp said it disagrees with the decision, and the severity of the fine, and plans to appeal.

The fine relates to an investigation that began in 2018, about whether WhatsApp had been transparent enough about how it handles information. The issues involved were highly technical, including whether WhatsApp supplied enough information to users about how their data was processed and if its privacy policies were clear enough.

Those policies have since been updated several times.

"WhatsApp is committed to providing a secure and private service," a company spokesperson said.

"We have worked to ensure the information we provide is transparent and comprehensive and will continue to do so. We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate."

GDPR rules allow for mammoth fines of up to 4% of the offending company's global turnover.

The Irish DPC said it had submitted its decision to other national data authorities, as required under GDPR, "following a lengthy and comprehensive investigation", and received objections from eight countries, including Germany, France, and Italy.

Some disagreed with the Irish regulator about which specific articles of GDPR had been broken or the way the fine had been calculated, among other issues. And in late July, the European Data Protection Board told the Irish DPC to tweak its finding, "reassess" its proposed fine of €30-50m (£26-43m), and amend its decision "by setting out a higher fine amount".

Formally reprimanded

This "shows how the DPC is still extremely dysfunctional", privacy campaigner Max Schrems said, welcoming the decision. "The DPC gets about 10,000 complaints per year since 2018 - and this is the first major fine," he said. And because of WhatsApp's planned to appeal, "in the Irish court system, this will mean that we will see years before any fine is actually paid".

The Irish DPC has also formally reprimanded WhatsApp and ordered it to "bring its processing into compliance", however. Only Amazon has been fined more for breaking GDPR rules, in this case, it is also vigorously defending.

In July, Luxembourg's regulator fined Amazon €746m for what it said was non-compliance with data-processing laws.

Analyst View

This development underscores the need for Fintech and other multinational corporations to understand the rules and regulations of their operational jurisdiction and sovereign entities. The fine is huge but at the same time, it will serve as a deterrent to organizations being reckless with the safety and processing of customer data. The appeal will certainly bring equity to the judgment.